Research

Investigations into vulnerabilities, exploit paths, and root-cause behavior.

CATEGORY: RESEARCH DATE: 2026-03-21

Research by badjuju - Red Orca

The Clock Doesn't Lie: Timing Attacks in Authentication Flows

A timing side-channel in JSONAuth allows unauthenticated attackers to enumerate valid usernames based on response time differences.

#appsec #side-channel #enumeration #timing-attack

CATEGORY: RESEARCH DATE: 2026-03-09

Research by badjuju - Red Orca

Session Tokens and Password Changes: A Reauthentication Gap in Filebrowser Quantum

Analysis of a password change flow that accepts a valid session token without requiring current-password reauthentication.

#appsec #authentication #session-security #defense-in-depth

CATEGORY: RESEARCH DATE: 2026-03-07

Research by badjuju - Red Orca

Patch Analysis: When a Fix Doesn’t Go Far Enough

An analysis of an incomplete remediation in FileBrowser Quantum where tokenized download URLs remained exposed, resulting in an authentication bypass despite a prior security fix.

#appsec #cve #patch #patch-analysis

CATEGORY: RESEARCH DATE: 2026-02-19

Research by badjuju - Red Orca

Authentication Bypass via Forwarded Header Trust

Investigation into an authentication bypass caused by trusting a forwarded identity header at the edge gateway.

#appsec #auth #web